add details on a new cause of the "no TGT" error, with a detailed description of the failure scenario and fix

steveloughran · steveloughran · commit 2a4d703392ed · 2016-01-26T18:09:56.000Z
diff --git a/sections/errors.md b/sections/errors.md
@@ -90,6 +90,8 @@ Possible causes:
 1. Your process was issued with a ticket, which has now expired.
 1. You did specify a keytab but it isn't there or is somehow otherwise invalid
 1. You don't have the Java Cryptography Extensions installed.
+1. The principal isn't in the same realm as the service, so a matching TGT cannot be found.
+That is: you have a TGT, it's just for the wrong realm.
 
 
 ## `Failure unspecified at GSS-API level (Mechanism level: Checksum failed)`
@@ -392,4 +394,33 @@ Possible causes
 
 
 
-## 
+## SASL `No common protection layer between client and server`
+
+Not Kerberos, SASL itself
+
+```
+16/01/22 09:44:17 WARN Client: Exception encountered while connecting to the server : 
+javax.security.sasl.SaslException: DIGEST-MD5: No common protection layer between client and server
+	at com.sun.security.sasl.digest.DigestMD5Client.checkQopSupport(DigestMD5Client.java:418)
+	at com.sun.security.sasl.digest.DigestMD5Client.evaluateChallenge(DigestMD5Client.java:221)
+	at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
+	at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:558)
+	at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:373)
+	at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:727)
+	at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:723)
+	at java.security.AccessController.doPrivileged(Native Method)
+	at javax.security.auth.Subject.doAs(Subject.java:422)
+	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
+	at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:722)
+	at org.apache.hadoop.ipc.Client$Connection.access$2800(Client.java:373)
+	at org.apache.hadoop.ipc.Client.getConnection(Client.java:1493)
+	at org.apache.hadoop.ipc.Client.call(Client.java:1397)
+	at org.apache.hadoop.ipc.Client.call(Client.java:1358)
+	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:229)
+	at com.sun.proxy.$Proxy23.renewLease(Unknown Source)
+	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.renewLease(ClientNamenodeProtocolTranslatorPB.java:590)
+	at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
+	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
+	at java.lang.reflect.Method.invoke(Method.java:497)
+```
+
diff --git a/sections/ipc.md b/sections/ipc.md
@@ -33,6 +33,43 @@ token.
 1. Applications may explicitly request delegation tokens to forward to other processes.
 1. Delegation tokens are renewed in a background thread (which?).
 
+
+## IPC authentication options
+
+Hadoop IPC uses [SASL](sasl.html) to authenticate, sign and potentially encrypt
+communications.
+
+## Use Kerberos to authenticate sender and recipient
+
+```xml
+<property>
+<name>hadoop.rpc.protection</name>
+<value>authentication</value>
+</property>
+```
+
+## Kerberos to authenticate sender and recipient, Checksums for tamper-protection
+
+```xml
+<property>
+<name>hadoop.rpc.protection</name>
+<value>integrity</value>
+</property>
+```
+
+## Kerberos to authenticate sender and recipient, Wire Encryption
+
+```xml
+<property>
+<name>hadoop.rpc.protection</name>
+<value>privacy</value>
+</property>
+```
+
+
+
+
+
 ## Adding a new IPC interface to a Hadoop Service/Application
 
 This is "fiddly". It's not impossible, it just involves effort.
diff --git a/sections/terrors.md b/sections/terrors.md
@@ -33,3 +33,123 @@ the client connection —without any notification to the client. Rather than a n
 When a Kerberos keytab is created, the entries in it have a lifespan. The default value is one
 year. This was its first birthday, hence ZK wouldn't trust the client.
 
+**Fix: create new keytabs, valid for another year, and distribute them.**
+
+## The Principal With No Realm
+
+This one showed up during release testing —credit to Andras Bokor for tracking it all down.
+
+A stack trace
+
+```
+16/01/16 01:42:39 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
+java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "os-u14-2-2.novalocal/172.22.73.243"; destination host is: "os-u14-2-3.novalocal":8020; 
+	at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:773)
+	at org.apache.hadoop.ipc.Client.call(Client.java:1431)
+	at org.apache.hadoop.ipc.Client.call(Client.java:1358)
+	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:229)
+	at com.sun.proxy.$Proxy11.getFileInfo(Unknown Source)
+	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:771)
+	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
+	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
+	at java.lang.reflect.Method.invoke(Method.java:606)
+	at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:252)
+	at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:104)
+	at com.sun.proxy.$Proxy12.getFileInfo(Unknown Source)
+	at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:2116)
+	at org.apache.hadoop.hdfs.DistributedFileSystem$22.doCall(DistributedFileSystem.java:1315)
+	at org.apache.hadoop.hdfs.DistributedFileSystem$22.doCall(DistributedFileSystem.java:1311)
+	at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
+	at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1311)
+	at org.apache.hadoop.fs.FileSystem.exists(FileSystem.java:1424)
+```
+
+This looks like a normal "not logged in" problem, except for some little facts: 
+
+1. The user was logged in.
+1. The failure was replicable.
+1. It only surfaced on OpenJDK, not oracle JDK.
+1. Everything worked on OpenJDK 7u51, but not on OpenJDK 7u91.
+
+Something had changed in the JDK to reject the login on this system (ubuntu, virtual test cluster).
+
+`Kdiag` didn't throw up anything obvious. What did show some warning was `klist`:
+
+```
+Ticket cache: FILE:/tmp/krb5cc_2529
+Default principal: qe@REALM
+
+Valid starting       Expires              Service principal
+01/16/2016 11:07:23  01/16/2016 21:07:23  krbtgt/REALM@REALM 
+	renew until 01/23/2016 11:07:23
+01/16/2016 13:13:11  01/16/2016 21:07:23  HTTP/hdfs-3-5@
+	renew until 01/23/2016 11:07:23
+01/16/2016 13:13:11  01/16/2016 21:07:23  HTTP/hdfs-3-5@REALM
+	renew until 01/23/2016 11:07:23
+```
+
+See that? There's a principal which doesn't have a stated realm. Does that matter? 
+
+In OracleJDK, and OpenJDK 7u51, apparently not. In OpenJDK 7u91, yes
+
+There's some new code in `sun.security.krb5.PrincipalName`
+
+```java
+// Validate a nameStrings argument
+private static void validateNameStrings(String[] ns) {
+    if (ns == null) {
+        throw new IllegalArgumentException("Null nameStrings not allowed");
+    }
+    if (ns.length == 0) {
+        throw new IllegalArgumentException("Empty nameStrings not allowed");
+    }
+    for (String s: ns) {
+        if (s == null) {
+            throw new IllegalArgumentException("Null nameString not allowed");
+        }
+        if (s.isEmpty()) {
+            throw new IllegalArgumentException("Empty nameString not allowed");
+        }
+    }
+}
+```
+
+This checks the code, and rejects if nothing is valid. Now, how does something invalid get in?
+Setting `HADOOP_JAAS_DEBUG=true` and logging at debug turned up output,
+
+With 7u51:
+```
+16/01/20 15:13:20 DEBUG security.UserGroupInformation: using kerberos user:qe@REALM
+```
+
+With 7u91:
+
+```
+16/01/20 15:10:44 DEBUG security.UserGroupInformation: using kerberos user:null
+```
+
+Which means that the default principal wasn't being picked up, instead some JVM specific introspection
+had kicked in —and it was finding the principal without a realm, rather than the one that was.
+
+
+*Fix: add a `domain_realm` in `/etc/krb5.conf` mapping hostnames to realms *
+
+```
+[domain_realm]
+  hdfs-3-5.novalocal = REALM
+```
+
+A `klist` then returns a list of credentials without this realm-less one in.
+
+```
+Valid starting       Expires              Service principal
+01/17/2016 14:49:08  01/18/2016 00:49:08  krbtgt/REALM@REALM
+	renew until 01/24/2016 14:49:08
+01/17/2016 14:49:16  01/18/2016 00:49:08  HTTP/hdfs-3-5@REALM
+	renew until 01/24/2016 14:49:08
+```
+
+Because this was a virtual cluster, DNS/RDNS probably wasn't working, presumably kerberos
+didn't know what realm the host was in, and things went downhill. It just didn't show in
+any validation operations, merely in the classic "no TGT" error.
